0

A Debian 8 VM on my ESXi server is running an OpenVPN server which was running fine until I decided to add another interface to the machine with another IP. I would like to use one IP solely for VPN traffic, not for server administration.

These are both external IPs. The provider I'm with uses a rather weird configuration though, I have to set the gateway to an IP outside the subnet. And as not many OS'es just accept this, I have to create a static route.

This is what it looks like:

root@ln-1:/etc/openvpn# ifconfig
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx
          inet addr:92.xxx.xxx.xxx  Bcast:92.xxx.xxx.xxx  Mask:255.255.255.255
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:271765 errors:0 dropped:10 overruns:0 frame:0
          TX packets:4545 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16520579 (15.7 MiB)  TX bytes:1027263 (1003.1 KiB)

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:217.xxx.xxx.xxx  Bcast:217.xxx.xxx.xxx  Mask:255.255.255.255
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:271152 errors:0 dropped:9 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16727664 (15.9 MiB)  TX bytes:1598 (1.5 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:45 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2774 (2.7 KiB)  TX bytes:0 (0.0 B)

And the routes, I have configured the route to 91.xxx.xxx.xxx (which is the gateway) on both interfaces, but I made the default on eth0 which makes the machines use that one by default I think, but I want the VPN traffic to go through eth1, using the same gateway IP:

root@ln-1:/etc/openvpn# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.xxx.xxx.xxx  0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
91.xxx.xxx.xxx  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
91.xxx.xxx.xxx  0.0.0.0         255.255.255.255 UH    0      0        0 eth0

And the iptables configuration:

root@ln-1:/etc/openvpn# iptables-save
# Generated by iptables-save v1.4.21 on Tue May  9 00:08:15 2017
*filter
:INPUT DROP [8286:454500]
:FORWARD DROP [801:48621]
:OUTPUT ACCEPT [4648:980772]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -o eth1 -j ACCEPT
COMMIT
# Completed on Tue May  9 00:08:15 2017
# Generated by iptables-save v1.4.21 on Tue May  9 00:08:15 2017
*nat
:PREROUTING ACCEPT [19909:1034285]
:INPUT ACCEPT [54:2776]
:OUTPUT ACCEPT [144:10480]
:POSTROUTING ACCEPT [144:10480]
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue May  9 00:08:15 2017

SSH I would like to go over eth0, the rest, VPN traffic goes over port 443, and over port 80 I serve the OpenVPN setup to make it easy to find. The OpenVPN configuration includes the following lines:

local 217.xxx.xxx.xxx
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

IP forwarding is on, and everything worked until I wanted to use eth0 for everything EXCEPT VPN traffic, and eth1 just for VPN traffic.

I cannot seem to get this to work, I've searched a lot but I cannot find anyone with a similar setup who has solved this. Any help would be greatly appreciated!

If I have missed something relevant please tell me and I will add it of course, also I am new to actually posting things on this site, please excuse me if I am doing anything wrong.

EDIT 10 May 2017 22:07 CEST: I've got new information: Apparently, OpenVPN tries to route/forward from tun0 to eth0, I was experimenting with iptables logging:

-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4

Which showed me this:

May 10 21:20:15 ln-1 kernel: [176312.426411] iptables_FORWARD_denied: IN=tun0 OUT=eth0 MAC= SRC=10.8.0.6 DST=157.56.144.215 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=1513 PROTO=UDP SPT=57959 DPT=3544 LEN=6

I'm also surprised I see PROTO=UDP here because both the server and client are configured to use TCP.

Improve this question

1 Answer 1

Reset to default
0

You can use the local parameter into the OpenVPN config file to force the client to bind to an interface using certain IP address.

--local host

Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

You can specify it in the client config file too

local ip.add.re.ss

With this, the INCOMING VPN CONNECTIONS (just the tunnel, not the forwarded packets) will be only accepted through eth1. Now, if you want to use eth1 to route the traffigs comming FROM THE VPN TO THE INTERNET you need to use policy based routing. Something kind of like

ip rule add from / table ip route add 1.2.3.4/24 via dev tun0 table

is either table name specified in /etc/iproute2/rt_tables or you can use numeric id ...

This pretty much says, that all traffic from 1.2.3.4/24 will be routed using routing table . IIRC it doesen't use the default table after going through this, so if you need other routes (ie. default gateway), you need to add them to the table as well.

I think that with the rule thing you can for sure tune your setup to work.

There's more reference about source based policy routing here:

SuperUser - Source Based Policy Routing & NAT (DNAT/SNAT) aka Multi WANs on CentOS 5

Good luck.

Improve this answer
2
  • Hi, thank you for your answer, I already have the 'local' option in my configuration on the server, but could you elaborate on the policy based routing? I assumed "-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE" already does this.
    – keranoz
    Commented May 9, 2017 at 10:24
  • Hello. It's a complex thing to configure, and it would require a lot of writting. I found an answer somewhere which I believe covers everything you need. superuser.com/questions/638044/…
    – DGoiko
    Commented May 15, 2017 at 7:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .